# $OpenBSD: bgpd.conf,v 1.10 2010/10/13 08:27:44 sthen Exp $ # sample bgpd configuration file # see bgpd.conf(5) #macros peer1="10.1.0.2" peer2="10.1.0.3" # global configuration AS 65001 router-id 10.0.0.1 # holdtime 180 # holdtime min 3 # listen on 127.0.0.1 # listen on ::1 # fib-update no # route-collector no # log updates # network 10.0.1.0/24 # restricted socket for bgplg(8) # socket "/var/www/logs/bgpd.rsock" restricted # neighbors and peers group "peering AS65002" { remote-as 65002 neighbor $peer1 { descr "AS 65001 peer 1" announce self tcp md5sig password mekmitasdigoat } neighbor $peer2 { descr "AS 65001 peer 2" announce all local-address 10.0.0.8 ipsec esp ike } } group "peering AS65042" { descr "peering AS 65042" local-address 10.0.0.8 ipsec ah ike neighbor 10.2.0.1 neighbor 10.2.0.2 } neighbor 10.0.1.0 { remote-as 65003 descr upstream multihop 2 local-address 10.0.0.8 passive holdtime 180 holdtime min 3 announce none tcp md5sig key deadbeef } neighbor 10.0.2.0 { remote-as 65004 descr upstream2 local-address 10.0.0.8 ipsec ah ike } neighbor 10.0.0.0/24 { descr "template for local peers" } neighbor 10.2.1.1 { remote-as 65023 local-address 10.0.0.8 ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \ aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \ aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b } # filter out prefixes longer than 24 or shorter than 8 bits deny from any allow from any inet prefixlen 8 - 24 # accept a default route (since the previous rule blocks this) #allow from any prefix 0.0.0.0/0 # filter bogus networks deny from any prefix 10.0.0.0/8 prefixlen >= 8 deny from any prefix 172.16.0.0/12 prefixlen >= 12 deny from any prefix 192.168.0.0/16 prefixlen >= 16 deny from any prefix 169.254.0.0/16 prefixlen >= 16 deny from any prefix 192.0.2.0/24 prefixlen >= 24 deny from any prefix 224.0.0.0/4 prefixlen >= 4 deny from any prefix 240.0.0.0/4 prefixlen >= 4